 Thanks for joining us on the Cyber Underground. I'm Dave Stevens, your host, and today we're going to cover several topics and ending up with the Equifax breach, so stay tuned for that. Until then, let me introduce again my exceptional co-host, Mr. Andrew Lanning, Andrew, the security guy. How's it going, brother? How's it going, brother? Hello, everybody. I like how it said Equifax breach only on the Cyber Underground. Only here. This is news everywhere. So thanks, Robert, for giving us the plug there, but this is news everywhere. Yeah, it's all over the place. Thank goodness, because that's how we do our research. Yeah. How was your week? It was like lightning bolt. Oh. Yeah, the older I get, the faster it goes. Did you get hacked into Equifax breach? You know what? I can't tell. And we're going to find out why. Ouch, okay. That's part of our discussion. That's part of our discussion. I'm supposed to know the script, but I didn't read it, sorry. Well, tell us what you've been doing this week. You've had a busy week. I'll tell you what. So you know, stemming off of last, we had the symposium last week, right? And we really, there was a lot of... Let's tell our audience about the symposium. The symposium for Safer, why we put on, we had four sessions. One was for like commercial industry, then we had a special session for the healthcare industry, then we did a special session the next day for Fedgov, DOD, and then we did a special, another special session in the afternoon for our folks from the consulting A&E side of the house, right? And the cool thing was we're starting to get all our surveys posted, and everybody really enjoyed it. We're getting, we had like, you know, about 80% of the people who said it was, you know, it gave it a five, and the rest gave it a four. So really... I sat in one of the presentations of the Pacific Club is really, that's well done. Oh, yeah. It's a good spot for it. I mean, I think the environment's really good. But we were able to discuss at length, and I think introducing, I think no one knew or heard about the work that UL is doing on cybersecurity. Important. Yeah. Because they're a standards organization. Yeah. Yeah. And I mean, you know, the Fedgov went to NIST, and NIST came to them, and they talked to them, and they've been doing standards, obviously, for a hundred something years. Right? NIST, National Institute for Standards and Technology, another standards organization. Right. And came to UL and said, hey, can you guys work on this problem where these standards for developing these products don't really exist? So you're involved with UL because you're in physical security, electronic security, and that's the underwriter's laboratory. Right. Yeah. And what do you do and electronic security? So the issue in electronic security is that we've got products that have been being made pretty poorly. Our manufacturers use third-party services like Veracode, for example, to verify that the software's like OK software, but they've sort of ignored a lot of the, you know, what you might call security design principles and practices in their products that we would call cybersecurity. So when you handle passwords or the ability to do a buffer over flow attack on the software? Yep, exactly. And even so far as their software by default may have a backdoor engineering password written into it, or they might have a port FTP port open for, you know, file transfer port open that you don't need to have open. And some of this is left over from when they were developing the product. Yeah. And they forgot to clean that up. Sure. I gave them the example that, you know, I started my talk actually about just telling everybody to think about it, the fact that, you know, 20 years ago, you know, Yahoo was the big search engine. And, you know, you were told don't never trust someone you might meet on the Internet, right? That was the thing. And of course, you were always told you never get in a car with a stranger. But today, you know, 20 years later, you use the Internet to call a stranger to bring his car to you to ride in it. So but it's no safer, there's no more security there, not from, you know, from the passenger perspective or the driver, either one could be nuts and hack the other one up or whatever, right? And often are nuts. And so the security industry sort of had the same issue in that all this product got developed on the, you know, it got onto the networks in the mid 90s and the customer said, this is great. Give me more features. Give me more features. Give me more features. Make it cheaper, cheaper, cheaper. So you know, that value just like Uber brings you value and a lower cost is what the consumer asked for. And so the industry gave it to them. Right. But we left something out. And I thought they were doing it right because they had a username and password assigned to the device, but simple attacks against say like webcams, the wireless webcam, you keep knocking it offline and it will keep trying to connect. And every time it does, you get something like Wireshark and then, you know, tool to do a packet analysis and you can grab all those packets and do an analysis of what that username and password is. It just keeps sending out, trying to connect and eventually you'll hack it. And those, those devices are insecure because of that. Sure. And there's a lot of vulnerabilities that sort of been pointed out by our friends at Blackhead and a lot of these symposiums that have put on and attacked these devices and shown how, how, just how vulnerable they are. And we've had, I think, 80,000 camera botnets DDoSing, the DYN, right? That company. That's right. These refrigerators and webcams and the DVR boxes that you have if you're a cable provider that you have no control over, but that are sitting at your house. Sure. And they're tied to the Internet. Yeah, and they're tied to the Internet. What did you say after the last Blackhead? You went to the arsenal and you said, that's it. There's the whole world, the whole world is broken. We're all broken. There's nothing we can do. It's just broken. It was scary. So, but I got to introduce this idea. And I think a lot of the folks that sat through those sessions didn't know. So, talking about UL, and UL has the 2,900 series of standards, you know, the very first one is software. And that is already, it was published, I think we published it earlier in the year, maybe in Q1. It's already been adopted by ANSI, which is the American National Standards Institute. And it's going through ISO now. So, you know, we're going to have soon an international standard. ISO, International Standards Organization. Yeah. So, we'll have this so that, you know, because a lot of these manufacturers, obviously, they make product that ships all over the world, Tyco in my industry, you know, United Technologies. These are huge companies. They sell product globally. So you need something that meets the international standards, committees, you know, guidance criteria. Super important, because you use these devices to protect yourself and your business. Sure. And if they're vulnerable, you've just added a way for people to break into your personal space or your business. This is really important that they follow these standards. And I think the consumer, once they're educated, like you said, is going to be looking at the product label saying, do you comply? Yes. And if you don't, I'm going to go buy another product. And if they didn't know about it, right? So this is the first they're hearing. And so the interest, the way you all set it up, so you've got this, that's the general requirements in software, but there's a dash two series for your healthcare devices, right? And then a dash three series for the electronic security. And I think two dash three is the industrial control systems. And they're going to go further with the IOT and they'll keep working on all this stuff. Explain the industrial control systems that people might not understand. You just get a control, something like that. So the utility companies, you know, people that are moving fluids think of water, think of petroleum, like pumping from a storage tank out to an aircraft, for example, or from a refinery to a storage tank, or from the tanker offshore, you know, into a refinery. So folks that are moving fluids, folks that are moving electricity, folks that are moving energy, also use PLCs, programal logic controllers to handle. These are really it's an interface between high voltage, monitoring equipment, high voltage devices that are out there in the field that are maybe measuring for pressure or measuring for flow or measuring for temperature and things like that. So, you know, and these are talking back via IP back to software. So you really need some kind of device in there in the middle that can separate that high voltage world from the low voltage world. And that's where the PLCs come into play. And they typically use, you know, ladder logic or they're, you know, they're different types of manufacturers that make these things. Alan Bradley, General Electric, folks like that, but they're pervasive in controlling our world. And they're not like windows or anything. Oh, no, no. It's simple. Yeah, ladder logic. There's a simple code that just do that one job. Oh, yeah. Record that one feature. Remove this one thing there. Yeah. Open a door. Yeah. Close the door or whatever. And they actually write, and if you've seen the interfaces written to them, have you ever been to like a pump house for the wastewater treatment facility or something? You'll see all these, they look like a little pump spinning around in a direction. And it'll be measuring perhaps its RPM and its flow rate or something. And the software that you write actually has discrete data coming off of that particular sensor that's being translated through the PLC back out to the software. So it's really cool. So that you have a war room or something. You see everything in there. Yeah. They build all this, but that's all built in software. You know, the PLC sort of keeps you separated from all the sensor devices out there in the field. And the industrial control systems are really one of the very first ones that UL worked on. So that has also been published now. And I saw the DHS recently released. I've got the site here. It's ICS SIRT-VLP. This is the first instance where DHS has gone and issued a training. Of course, there's like 12 courses in here. Specifically, all of them are around ICS, industrial control systems. It's super important, again, because industrial control systems, those controls, as simple as they are, if they're affected in any way, they could report the wrong information, close the wrong door, move the wrong fluid, lock something, unlock something, flood the gates. And if that's a critical infrastructure or this energy involved, you could be in real trouble. Sure. Grid shut down, pumps blow up. One of the great ways to shut down a city is to blow up the wastewater treatment, right? Imagine if the wastewater treatment, wastewater treatment, you know what I'm talking about, right? When you can't use the toilets anymore in a city and say that goes on for a week or two, you've got massive, massive problems. Epidemics, cholera, whatever the disease is. And so what was fun, so then we got to do that stuff last week, and then just this week, the Chamber of Commerce hosted a really great event just upstairs here from our studio. And we had some folks there from the NSA, actually the director of the NSA from Hawaii was there. CISO from one of our large local banks. One of the small business providers was in town, was up there. And then one of the larger sort of R&D kind of companies that's out here in Honolulu working for the DOD. And this was all about cybersecurity. And it was great to hear the NSA director get up there and talk about some things that I think not everyone knows. You were telling me NSA is working with two other organizations in the federal government. Very close-knit organizations, right? They're starting to share information and provide guidance to the consumer and to small and medium businesses, right? Yeah. And I think it hasn't, I don't know if people know, like if you're kind of outside those circles of like the federal law enforcement foundation or the, if you haven't been through the FBI, it has like a citizens academy. And if you're not around these government groups, you know, you may think they're very discreet. And the NSA, of course, everyone sort of knows, you know, the national security agency, right? Everyone thinks, wow, they just give us all the information that we need. They have it all. They know it all. I mean, they're the best in the world. That's the organization from the Tom Clancy novels, right? We share the NSA, right? Everyone knows the NSA. And, you know, the NSA is a branch of government and then for the DOD, right? So they're, they have lanes that they have to stay in and he explained that. And the FBI really stays in those investigative lanes for crime. Now, the third one is Department of Homeland Security. And the third one is Department of Homeland Security, which came up again, right? So I was just talking about how they've got this great training out for ICS, for the industrial control system community in cybersecurity. And the director was trying to explain to me, listen, when you, you go, people come to me all the time and won't mention, we know you have all the answers, just tell us what we need to know. You know, outside of his lanes, talking to the community, right? So he was able to share with us how they have their, their own as you go up the chain. They're all married quite tightly when it comes to cybersecurity, keeping the economy safe, all those things. So when you ask the DHS, hey, what should I do for cybersecurity? You're getting the best that the NSA has and the best that they know. Filter down through the DHS for commercial sector, you know, for example, or critical infrastructure. You know, the DHS really has guidance in each of those sectors there's 16 different sectors recognized by the National Infrastructure Protection Plan, the NIPP sectors, we call those of which even your commercial buildings are those multi-dwelling units are because they protect people live in them, right? And those are subject to attack just like anything else. A mall, for example, subject to attack just as a utility company maybe or a petrochemical facility. So it was refreshing to hear him sharing, you know, I think, I think for the folks in the room that were all cyber-concerned, you might say, most of the folks in the room are, you know, sort of the IT community around town and many who work in cybersecurity. You know, they were, if they weren't in touch with InfraGuard or some of these other federal agencies very often, then I think they had a good explanation of what government's doing, you know, why they're doing it the way they're doing it and actually how much free help is available. You're really not alone. You really don't have to make this up. You don't need, no reason to be scared anymore. We've talked about that. You know, the thing is, we now know what to do to work on our cyber maturity regardless of what business we're in. If we don't know, pick up the phone, call DHS. They're in town. They can come, they're authorized to come and do assessments for you. There's now grant money available to small business for some of these things. You should do this because the community, we work together as a more organic unit in this country. Yeah, we have to. If you instill panic, interrupt the business flow. If you interrupt the economy and the financial sector, you can crash a whole country and send us all into chaos. Oh, yeah. There's a delicate balance in those countries. Yeah. Okay, we're going to come back and talk about more fun stuff really soon. We're on that cyber underground. We're going to take a break. We'll be right back. Stay safe. Welcome to Hawaii. This is Prince Dykes, your host of The Prince of Investing. Coming to you guys each and every Tuesday at 11 a.m. Right here on Theme Tech Hawaii. Don't forget to come by and check out some of the great information on stocks, investments, your money, all the other great stuff. And I'll be your host. See you Tuesday. Welcome to Sister Power. I'm your host, Sharon Thomas Yarbrough, where we motivate, educate, empower, and inspire all women. We are live here every other Thursday at 4 p.m. And we welcome you to join us here at Sister Power. Aloha and thank you. Aloha. I'm Tim Appachaw, host for Moving Hawaii Forward, a show dedicated to transportation issues and traffic. We identify those areas where we do have problems in the state, but also the show is dedicated to trying to find solutions, not just detail our problems. So join me every other Tuesday on Moving Hawaii Forward. I'm Tim Appachaw. Thank you. Welcome back at Cyber Underground. As you may have guessed, the country is not in panic and we have not crashed as of yet. And Andrew's going to give us a little bit more information on that. So we were talking about the whole country working as an organic unit and all the small and medium and large businesses. We all have to keep working. We need business continuity. The economy, the financial sector depends on confidence in the system. And if that's interrupted, we can go into chaos. And we were discussing this earlier with a friend just a moment before the show that even if the United States credit rating is degraded even by one level in the multinational community, we pay more interest to our lenders. Therefore, we're tapping ourselves out. Our budget goes up and taxes have to go up to compensate all because of our credit rating. But that could be caused by some kind of a crash in our economy. Confidence in our economy. So our confidence can be definitely shattered about some sort of a major hack of a utility or something like that. Oh, it's a 2008 financial crisis. We just invested poorly and so our credit rating dropped for a while. And when did we recover? We're still working on that. They said it's going to be long and slow. Long and slow. So imagine some sort of a catastrophic, you know, global, or a North American power outage, right? Oh, yeah. Or dams getting opened up and flooding whole cities or some crazy stuff like that. So these are some of the concerns, I think, that we got addressed. But there was a lot of comfort, I think, at least from the NSA's perspective that we've got a lot of intel out there. All the agencies are working on it. And again, DHS, if you have questions, go to their website, go to NSA's website. All of them will sort of point you to places we've talked about in the past. You know, the National Institute for Standards and Technology at NIST has a cybersecurity framework and not new guidance for small business. The 800-171, what is that? That's regarding controlled, unclassified information. Right. So how to handle, you know, information that maybe you're working for the utility and you have a schedule of their service and maintenance or something like that. That could perhaps be considered controlled, unclassified information. If I know when you're doing maintenance, maybe right after the maintenance, I want to come in and jimmy around with some stuff because I know you won't be back for another month. And that's obvious to know, but some people, they don't think their CUI is actually CUI. Yeah. It's, a CUI can become CUI if you have an aggregate of enough of it, it creates a threat. Because I can kind of piece out, okay, this has thicker walls. There must be something important here. This is really close to this other structure. This has a lot of space. There must be something big military equipment here. And that could be a threat, just aggregating all that information that becomes unclassified controlled information. Yeah, I think so. And there's, the good thing is that I do think that the commercial community, especially if they were like never worked for DoD or hadn't been around that, the NSA director definitely talked about that, that defense in-depth idea that comes out around, you know, there's really not a silver bullet out there. You know, you're going to have to layer security, cybersecurity in particular. Seriously important, right, layer your security with a username password. Just not going to protect you. The most important thing is train your users. Sure. To be aware. And, you know, many small vendors, you know, one of the bases here on the island. Sure. But the way into a big target is through a little target. I don't want to go storm. Like a person. Right. So I don't want a little storm in the main wall, right. I want to, you know, hook my donkey cart up and pretend I'm a vendor and walk through the front door, right. So I'll go and attack a small target. Didn't all their information just keep public this week. Oh my gosh. Let's talk about Equifax. So financials, let's talk about the financial sector, right. You brought up how the 08 crash brought us down. Right. And here, Equifax, one of the four credit. Top three. Major credit top three. Major credit reporting bureaus, right. It gets all their records, maybe 140 minutes. That's half the country. That's probably close to 143 million weeks. That's all the adults. Yeah. All the credit where everyone who's applied for credit ever. Yeah. And that's a lot of people don't realize that you don't go to Equifax and say here's all my information. You apply for credit. You apply for a loan. You apply for a credit card. All that goes to the credit agencies. All three of them Equifax is one of them. If you go try to buy a car and you need a loan on that car. Everything that a hacker needs to become you is there. And we were victims of this with all the opium. Yeah. The opium hack, office of professional management for the DOD security clearances when they got hacked. They know my brother's name and where he lives. It's a lot of in-depth information. And this one was unique. I believe what I read is that they think it's not a phishing attack, which is usually found all the firewalls and stuff by sending phishing email attacks with some malware attached to an attachment in an email or something. But this one seems to have been the website. It had vulnerabilities on the website. So SQL or something. Yeah. They won't tell you how it happened, but I'm sure if there's a log in because it was a WordPress site, this was probably a single... It was a WordPress site. That's what they were saying. The Equifax was using a WordPress site. I don't have it yet. So SQL 17.com, this is to see if you're affected. Now this website I believe is WordPress. And we found out there's only one WordPress user on there. I won't tell you which one it is. But if you go on KrebsOnSecurity.com, you'll see all these details. This is a wonderful place. By the way, don't think that if you go there, you're going to get an immediate answer. What we found, Brian Krebs found this actually, answer and then if you go on your mobile phone and you try the same process you're going to get the exact opposite answer. So one of them I'll tell you you were affected and the other one said says you have not been affected. So apparently this is broken. Equifax is not doing the job and in addition there are three executives for the company that are already under investigation for selling stock in Equifax between the July or May July breach and the time which they told the investors in the public that the breach had happened. So in the time they knew about it to before they told the public and the investors these three top executives sold shares and made money. Cashed in a little bit. They cast in before the stock dropped. That was the the major thing right the stock dropped 13 percent. Since the announcement it's gone down 13. Probably more since we've been talking. It's taken down target. This is what we're talking about. The financial community depends on confidence. In the nation's the nation's economy depends on that same confidence. This is a system and the only way the system works is if I have confidence in my army, my navy, my air force, my banks, my branches of government that everybody's working and when I think that's not effective anymore, I start to think as a person how else can I protect myself and that can lead to chaos. Gordo has an answer. Blockchain. Blockchain. Everything's blockchain. Well I mean you know I would think financial sector's surely adopting it. I mean that's you know the backbone of that currency. What's all these new crypto currencies? Ethereum. Yeah. So trust is like done. What's the word they use when it's you know it's federated across so many different people. Distributed. Distributed. So distributed ledger. Trust is no. Trust is in the hashing of the token of their transaction. There's a lot of encryption in blockchain. That's going to be a tough one right because you know security as you know is a running game. Yeah. We're doing security but there's people right on our tail and if we don't run at full speed all the time someone's going to overtake us and those hashes that encrypt our Bitcoin are going to get broken. We've already broken a whole bunch of hashes. The MD5 was broken in the 90s. We have SHA1 was already broken. Now we're up to what? SHA512? Yeah. I saw that they're using they're using AES256 for Bitcoin. Right. Okay. So you know we'll take much of quantum computer to crack that void. Quantum computers are an interesting game for the those of you out there in the in the world wondering what the heck a quantum computer as well. A quantum computer can use photons instead of a lot electrons to measure the state of any object so instead of a one or a zero a photon can actually be built at the exact same time. At the same time. So if I'm asking a question from a computer who's like like my Mac here it's ones and zeros of electrons so I have to test every single possibility one at a time it's either that or that. Quantum computers can take all the possibilities and test them at the same time. So imagine the speed of computing is massive. And not much power to do it. It's all photons right that's incredible and we have quantum computers actually in production in two private companies right now and I believe IBM and I think the criminal community if we keep you know pay in our ransomware that they're gonna they're gonna be buying the first one. Yeah to break the rest of our encryption. Fortunately you know the last I heard the Navy and the Marines were already working on quantum encryption. Yeah when China apparently right now they've announced they've announced that they're gonna have a com network up on this quantum encrypted. Yeah most secure communications network network. How's that. Wow and we're going way up. We're at least just saying eighty two fifty six isn't gonna last forever. No you know there's to be a point at which that you know the box ain't have to change it's hashing right I'm sure they can just make them longer right. They can make them longer and it won't matter because you know if we're using quantum technology doesn't matter the length. Oh yeah you just it's the method and we get back to you know protecting your assets protecting your home. One thing doesn't do it like I said there's no silver bullet you have to have a method to protect yourself there's several layers you have to go in and go into your building you're building as a mantra right. Mine does yeah. Yeah so you go inside you have to enter the first door and be authorized then you have to stand there and be recognized before you get into the second door right that's just one layer and when you get inside you have an ID badge I would assume. Yeah everyone's got to have an ID badge. You see someone wander in the hall and they said you see somewhere's the restroom and if they don't have a badge you escort them to the front right around the back one way or the other. Yeah layers and I don't think people understand that they put that router that Wi-Fi router into their business and then they just say oh yeah you know username password I'm done. Yeah you know the Cisco puts out their thread of the week the vulnerability of the week and there was I think this week it was an AT&T device. Sharknado they called it so was this some AT&T heiress routers these you see these they're common home routers for distributing either fiber connected you know internet to your home or your business or cable connected so these these manufacturers have some vulnerabilities in these products that was the you know most touted or most seen attacked vulnerability this week by Cisco. Wow. In North America. And well ladies and gentlemen tune back in next time we'll be here next week discussing stuff like this again to keep you safe. I'm Dave Stevens this is Andrew the security guy Aloha from the Cyber Underground.